enable full heap randomisation

set kernel.randomize_va_space=2 to enable full heap randomisation.
Citing sysctl/kernel.txt:
2 - Additionally enable heap randomization. This is the default if
CONFIG_COMPAT_BRK is disabled.
There are a few legacy applications out there (such as some ancient
versions of libc.so.5 from 1996) that assume that brk area starts
just after the end of the code+bss. These applications break when
start of the brk area is randomized. There are however no known
non-legacy applications that would be broken this way, so for most
systems it is safe to choose full randomization.

Systems with ancient and/or broken binaries should be configured
with CONFIG_COMPAT_BRK enabled, which excludes the heap from process
address space randomization.

icons/user_comment.png J. E. wrote: (6 years ago)

At the same time, what about setting CONFIG_COMPAT_VDSO to disabled as well?

icons/user_comment.png M. M. wrote: (6 years ago)

Security is all in favour of that.

icons/user_comment.png A. J. wrote: (6 years ago)

Let's go for it...

icons/user_comment.png K. E. wrote: (3 years ago)

One of you guys please to move this from 12 SP1 to 12 (GA).

icons/user_comment.png K. E. wrote: (3 years ago)

We please need this in SLE 12 (GA).

icons/user_comment.png K. E. wrote: (3 years ago)

icons/user_comment.png L. P. wrote: (3 years ago)

Implemented - commit 990b059df in SUSE kernel tree.

icons/user_comment.png S. L. wrote: (3 years ago)

Not better to add special flag to ELF files, which contains kernel and other related information, like full heap randomization?

Who creates/manages ELF specification?
You could (probably) add extra section for store this information.

